Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
jettyd
v1.1.1Interact with IoT devices via the jettyd platform — read sensors, send commands, manage rules, and list devices
⭐ 0· 61·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (jettyd IoT platform) match the requested binaries (node), env var (JETTYD_API_KEY), and the included CLI and LangChain example which call https://api.jettyd.com/v1. Nothing requests unrelated cloud providers or broad system access.
Instruction Scope
SKILL.md and the scripts only instruct the agent to read the declared OpenClaw config (~/.openclaw/openclaw.json) or JETTYD_API_KEY, and to call the jettyd API endpoints. The example LangChain tool references OPENAI_API_KEY for demo purposes (not declared in the skill manifest) — this is an examples-only convenience, not required by the skill itself.
Install Mechanism
No install spec is provided (instruction-only). The package includes local scripts and examples but does not download or run third-party installers or remote archives, minimizing install-time risk.
Credentials
The skill requires a single API credential (JETTYD_API_KEY) and optionally reads JETTYD_BASE_URL or ~/.openclaw/openclaw.json for the same key — proportional to its purpose. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege
always is false and the skill does not request permanent system-wide changes. It does not modify other skills or global agent settings automatically. Note: agent-autonomous invocation is allowed by default (normal for skills).
Assessment
This skill appears coherent with its stated purpose, but before installing: 1) only provide a jettyd API key (JETTYD_API_KEY) and avoid reusing high-privilege keys — use a scoped key if the platform supports it and rotate it if possible; 2) the skill will read ~/.openclaw/openclaw.json if present — ensure that file does not contain other secrets you don't want shared; 3) the skill can send commands and push rules to real devices (physical actions) and can create webhooks that forward events to external URLs — be careful what rules or webhooks you deploy and which endpoints you register; 4) example code references OPENAI_API_KEY for demos; that is not required by the skill itself but watch for any examples that ask you to add other credentials; 5) review the scripts (scripts/jettyd-cli.js and examples) yourself if you have sensitive devices, and consider testing with a non-production account or a device you can safely control. Overall the package is internally consistent and nothing in the files points to unexplained or disproportionate access.scripts/jettyd-cli.js:14
Environment variable access combined with network send.
scripts/jettyd-cli.js:7
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9778z1xsyqxh0g0jtssmd215s8461mn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode
EnvJETTYD_API_KEY
Config[object Object]